Everyone went quiet on the latest IE vulnerability, which is hopefully not the calm before the storm.

I’ve had plenty of time to think about and read about differing opinions on the “third-party patch” quandary (my original post on it is here). I’ve read opinions that companies could be releasing third-party patches as a means of getting their name in front of potential customers or as a means of PR/advertisement.

That fact alone presents us with a great opportunity because Microsoft certainly has noticed the third party patch trend and all the buzz it generated last week. That attention will force them to re-evaluate their monthly patch policy, not because its the wrong policy (which it is) but because its a potential weapon for their competition.

Consider it from Microsoft’s point of view; Company X is given the means to make a profit off vulnerabilities discovered in Microsoft’s products because Microsoft is too slow in releasing a patch. This will directly compete with Microsoft’s OneCare Live service due to release in June of this year.

To stifle that competition Microsoft can do one or both of two things:

1. Change their policy such that critical vulnerabilities are patched expeditiously (read; out of cycle) and/or;
2. Push OnceCare by releasing protection “signatures” to that product before they release patches.

From a strictly financial aspect option #2 is definitely the route to go. Option 2 helps drive customers to the OneCare service by touting its ability to protect machines from vulnerabilities during the race from public disclosure to full patch deployment. In the case of the createtextrange vulnerability in IE, Microsoft could make a statement such as “we don’t see a critical need for an out of cycle patch, however, we have released signatures to protect our OneCare subscribers.” The carrot and the stick never looked better.

However, from a PR aspect a combination of both methods would be most beneficial. Option 1 appeases the security community by doing the right thing and addressing critical vulnerabilities rapidly while also protecting the soccer Mom’s out there who aren’t system administrators and just want to swap email and play Mahjong on a broadband connection.

Hopefully Microsoft will accurately judge the situation and change their policy in the near future. Though I don’t expect it will happen any time soon.